Infected ecommerce sites on the checkout or payment page

Whenever I make an online purchase and in the shopping cart I am redirected to another place, such as the PayPal website, I pay close attention to the URL that is loaded in the browser in case I end up on some fake site.

I've never seen anything like this happen, but it seems that attackers are starting to infect legitimate ecommerce sites. only modifying the payment or checkout pages. The details are discussed on the Sucuri blog and it is really interesting because they are attacks that are difficult to detect and that can be very effective for cyber criminals.

Infection is simply done with a script that redirects to phishing pages when victims try to complete the payment on the merchant's website.

This script has been detected in WordPress sites that use the classic WooCommerce plugin that allows you to mount a store easily, the line puts it in the file form-checkout.php found in / wp-content / plugins / woocommerce / templates / checkout /

It has also been detected on other platforms such as PrestaShop where they place the malicious script in the file. shopping-cart.tpl.

The attack can be very effective for criminals as users can feel confident making a payment after browsing a legitimate store. And for the owners it is not something easy to detect since the redirection occurs only at the time of making the payment.

Even criminals could improve the attack and for example not redirect all users, but a small percentage so that the owner of the e-commerce does not notice a significant drop in sales that makes him suspicious.

Basic tips for webmasters: keep everything up to date, use strong passwords, do not use dubious themes or plugins, and eliminate those that are not being used. It is also useful to use security plugins that can check the integrity of important site files for unauthorized modifications.